Maturity Level 2 is the target most Australian mid-market businesses should be aiming at. It's credible against the adversaries you're actually likely to face, it's achievable inside a Microsoft 365 Business Premium or E3/E5 licence, and it doesn't require the operational overhead of ML3.
But if you try to move from ML0 to ML2 in a single big-bang project, you'll break things. Application control will block a legitimate app. Macro policy will kill the finance team's payroll workbook. Conditional Access will lock out a travelling executive at the wrong moment. The answer isn't to do less — it's to sequence better.
Weeks 1–2: Baseline and quick wins
Before you change anything, measure where you are. Run the Essential Eight self-assessment, pull the Secure Score dashboard from Microsoft Defender, and get Defender Vulnerability Management switched on for OS and app CVE visibility.
Then: pick up the cheap wins. Enable Windows Autopatch. Separate Global Admin accounts from day-to-day accounts. Set Conditional Access to require MFA for all sign-ins. These three moves take roughly two days of effort and lift your posture on three of the eight strategies.
Try it
Check your AI + security readiness
Security posture and AI readiness are increasingly the same project. Run the AI readiness check to see where they overlap for your business.
Score each dimension, 1 – 5
How ready is your organisation for AI — really?
Five dimensions. Pick the statement closest to the truth for your business today. No wrong answers.
Data readiness
Is your data in a shape AI can actually reason over?
Governance & security
Identity, permissions, DLP, audit — the safety rails for AI.
Workflow integration
Where will AI actually get used in the business?
Adoption capability
Will your team actually use it when it arrives?
Capacity to invest
Can you actually fund and run an AI program right now?
Weeks 3–4: Identity and access
Strategy 5 (restrict admin) and strategy 7 (MFA) move together. Deploy Entra ID Privileged Identity Management for eligible role activation. Move your admin accounts to Authentication Strengths that require phishing-resistant MFA. Set Conditional Access to block admin accounts from browsing the web and receiving email.
Watch out for the service accounts. Every organisation has a handful of legacy service accounts that shouldn't be in admin roles but are. Refactor those before you enforce PIM — otherwise your first week in JIT mode will be a pager-storm.
Weeks 5–7: Endpoint hardening in audit mode
Now the risky bits. Deploy Intune Security Baselines for Windows, Edge and Office. Switch on Attack Surface Reduction rules in audit mode. Deploy Windows Defender Application Control in audit mode across workstations.
The word 'audit' is load-bearing here. Every ASR rule and every WDAC policy generates telemetry without blocking anything for at least 30 days. You'll discover that the quality team's 2011 Access database relies on an unsigned VBA macro; that marketing's video editor uses an executable from their Downloads folder; that two business-critical apps need explicit allow-listing. Find these in audit. Don't find them in production.
Weeks 8–10: Macro and data hygiene
Strategy 3 (Office macros) is almost always where the operational friction hits hardest. The pragmatic ML2 stance: macros from the internet blocked at source, signed macros allowed, trusted locations centrally managed via Cloud Policy for Microsoft 365 Apps.
Before you enforce, do a macro inventory. Defender for Endpoint surfaces which clients are running macros and from where. Your finance and operations teams will have the highest usage — engage them early, get their macro-enabled workbooks moved to a trusted SharePoint library, and help them code-sign the ones that survive.
Weeks 11–12: Backups, patching SLA, enforcement
Stand up a tested backup regime — Purview retention, a third-party M365 backup, and a documented restore runbook. Run a restore drill. Document the RTO/RPO you actually achieved, not the one the vendor marketing promises.
Move your ASR and WDAC policies from audit into enforce. Move app and OS patching into a documented SLA — two weeks for critical, 48 hours for exploited. Wire a dashboard so your exec team can see the SLA performance month to month.
What slips — and why
- Application control: almost always takes longer than planned. Plan for 60 days in audit, not 30, if you've got a long tail of line-of-business apps.
- Privileged accounts: your 'clean' admin inventory isn't clean. Budget a week to find and refactor the service accounts that shouldn't be there.
- Macros: engage finance and ops before you enforce. If you blindside them, you'll lose political capital you need for the rest of the program.
- Backup drills: the first quarterly restore test will fail in at least one scenario. Treat that as a feature of the program, not a bug.
ML2 on Microsoft 365 is genuinely achievable in a quarter. It's not achievable in a sprint. Sequence the work, measure in audit before you enforce, and bring the business along every step.